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Abstract. The Anshcl-Anshel-Goldfeld-Lemicux (abbreviated AAGL) key agreement protocol [2] is pro- 
posed to be used on low-cost platforms which constraint the use of computational resources. The core of 
the protocol is the concept of an Algebraic Eraser-^*^ (abbreviated AE) which is claimed to be a suitable 
primitive for use within lightweight cryptography. The AE primitive is based on a new and ingenious idea 
of using an action of a semidircct product on a (semi)group to obscure involved algebraic structures. The 
underlying motivation for AAGL protocol is the need to secure networks which deploy Radio Frequency 
Identification (RFID) tags used for identification, authentication, tracing and point-of-sale applications. 

In this paper we revisit the computational problem on which AE relies and heuristically analyze its 
hardness. We show that for proposed parameter values it is impossible to instantiate the secure protocol. 
To be more precise, in 100% of randomly generated instances of the protocol we were able to find a secret 
conjugator z generated by TTP algorithm (part of AAGL protocol). 



1. The Colored Burau Key Agreement Protocol 

A general mathematical framework of AAGL protocol is quite complicated. In this paper we try to omit 
unnecessary details and simplify the notation of [5] as much as possible. We refer an interested reader to [3 
Sections 2 and 3] for a complete description. Here we start out by giving a particular implementation of the 
primitive called the Colored Burau Key Agreement Protocol (CBKAP). 



1.1. A platform group. Fix an integer n > 7 and a prime p. Let t = {ti, . 
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which is the identity matrix except for the ith row where it has successive entries ti, ~ti, 1 with ~ti on 
the diagonal. We look at the matrices a;i(t), . . . ,a::„_i(t) as elements of the group GL(n,¥p(t)) oi n x n 
matrices with entries as Laurent polynomials over the finite field ¥p. The symmetric group on n symbols Sn 
acts on GL{n,¥p{t)) by permuting the variables ti, . . .t„. We denote the result of the action of s G 5„ on 
X G GL{n,¥p{t)) by 'x. 

The semidirect product GL{n, ¥p{t)) xi Sn of the groups GL{n, Fp(t)) and 5„ relative to the defined action 
of Sn on matrices GL(n,Fp(t)) is a set of pairs 

{(m, s) I m G GL{n,¥p{t)), s G Sn} 
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with multiplication given by 



(mi, si) • (to2, S2) := {mi -"^ m2, Si • 52)- 



Denote by Si — (i, j + 1) G 5„ the transposition which interchanges i and i + 1 and by gi the clement of the 
semidirect product GL{n,Wp{t)) x 5„ 



of GL{n,¥p{t)) X Sn is called the colored Burau group. The group G is a platform group for AAGL key 
agrement protocol. 

Recall that the group _B„ of n-strand braids has the classical Artin's presentation: 



A word over the group alphabet {cri, . . . , (J„_i} is called a braid word. Any 71-strand braid can be represented 
by a braid word. The length of a shortest braid word representing an element g G i?„ is called the geodesic 
length of g relative to the Artin's set of generators and is denoted by \g\. The function | ■ | : i3„ — > N is called 
the geodesic length function on _B„. 

Lemma 1.1. The elements gi = {xi{t)^ Si), for i = 1,2, ...,n — 1, satisfy the braid relations and hence 
determine a representation of the braid group Bn, i.e., the mapping Ui 1^ gi defines a group epimorphism 

V-Bn^ G. 

Proof. Straightforward check. □ 

1.2. Action of the platform group on GI/(n,Fp). Fix elements ri,...,r„ £ Fp and define a homo- 
morphism tt which maps GL{n,¥p(t)) into GL(n,¥p) by assigning the value to the variable ti, i.e., by 
evaluating a matrix at ti , . . . , t„ . We call tt the evaluation function. 

Assumption on ri, . . . , r„. We assume that tt defines a correct group homomorphism. 
Relative to the chosen tuple ti , . . . , r„ G Fp and the corresponding function tt one can define an action of 
GL(ri,Fp(t)) X Sn on GL{n,¥p) x Sn by putting 

(mi, si) ★ (7712, S2) = (7TI1 • 7r(''im2),siS2) 
where * denotes the action. Indeed, it is not difficult to check that * is an action and satisfies the property 

((toi. Si) * (to2, S2)) * (m3, S3) = (mi, si) * ((m2, S2) • (ma, S3)). 
We say that (mi,ti) and (7712, t2) -^-commute if the equality 

(7r(mi), si) ★ (m2, S2) = (7r(m2), S2) * (mi, si) 
holds. The next lemma is obvious. 

Lemma 1.2. Let w = IlfcLiC^ifc *ifc) '^'^'^ ^ np=i(^ip(t)j Sjp) be such that \ik — jp\ > 1 for every 
fc = 1, . . . , m and p ~ 1, . . . ,1. Then the elements w and v ^-commute. 

1.3. The protocol. Before the parties perform actual transmissions the following data is being prepared 
by the Third Trusted Party (TTP). 

• A matrix mg G GL(7i,Fp) which has an irreducible characteristic polynomial over Fp. The choice of 
mo is not relevant for the purposes of this paper, we refer the reader to for more information on 
how mg can be generated randomly. 

• *-commuting subgroups A = {wi, . . . , w~f) and B = {ui, . . . , u^) of the group G. We want to point 
out that the elements Wi and Vj are given to us as products of generators of G and there inverses, 
i.e., as formal words in group alphabet {gi, . . . , g„_i}. We prefer this form because it allows us to 
avoid time consuming matrix multiplication in GL(n, Fp(t)). 



gi = (a;i(t),s,;). 
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Both, the matrix mo and subgroups A and B, can be chosen only once. Now, the pubhc and private keys 
are chosen as foUows: 

Alice's Private Key: is a pair which consists of a matrix of the form 

Ha = hm^' + hm^'- + ... + Irm'^'' E GL{n, Fp) 

(where li, . . . ,lr G Fp and r,ai, . . . ,ar G Z^) and a random sequence wl^ , ■ • ■ , of generators of A and 
their inverses. 

Alice's Public Key: is an element 

Apubiic = ina,id) * * ... * e GL{n, Fp) x Sn- 

Recall that each Wi^^ is given as a formal product of the generators of G. To perform the ^-operation efficiently 
one should not directly compute Wi^, but consequently apply the factors of Wi^ to the argument. 
Bob's Private Key: is a pair which consists of a matrix of the form 

nf, + I'^m^'- + ... + ll,m^'-' E GL{?i, Fp) 

(where I'l, . . . £ Fp and r' , (3i, . . . , f3r' E Z+) and a random sequence Vj^ , . . . ,Vj'^ of generators of B and 
their inverses. 

Bob's Public Key: is a pair 

Bpubiic = ("6, id) * ★ . . . ★ vf^ E GL{n, Fp) x Sn- 

Again, each Vj,. is given as a formal product of the generators of G. To perform the ★-operation efficiently 
one should not directly compute Vj^, but consequently apply the factors of Vj^. to the argument. 
The shared key: is an element of GL{n,¥p) x Sn obtained by Alice in the form 

[{na,id) ■ Bpubiic] * ★ . . . ★ 

and by Bob in the form 

[{rib, id) ■ ApubUc] ★ ★ . . . ★ 
It requires a little work to prove that the obtained elements are indeed equal in Gi(n,Fp). We omit the 
proof. 

1.4. TTP algorithm. The cornerstone part of the proposed key-exchange is the choice of 7k-commuting 
subgroups of the group G. The basic idea is to use Lemma [1.11 and choose commuting subgroups A and B 
in Bn and then pull them into G using the epimorphism if. The resulting subgroups ip{A) and ip{B) of G 
commute. Moreover, for any choice of tt the subgroups (p{A) and (p{B) ^-commute. 

Before we present the algorithm we need to give some details about the braid group Bn- The group Bn 
has a cyclic center generated by an element where A is an element called the half twist and can be 
expressed in the generators of Bn as follows: 

A = (fTl . . . (T„_l) • (o-l . . . an-2) ■ -- - ■ (cti). 

Any element g E Bn can be uniquely represented in a form 

AP^i.-.^p 

satisfying certain conditions and called the left Garside normal form. 

Now, since A^ is a central element it follows that element u, w commute in _B„ if and only uA^p and 
wA'^'^ do (for any choice of p, r S Z). Hence, we may always assume that the normal forms of the generators 
{wi, - - - ,w^} and {vi, . . . ,v^} have the power of A equal to or —1. When we say that we reduce a braid 
modulo A^ we mean changing the A-power of its normal form to — 1 or depending on parity. 

The algorithm below (originally proposed in [2]) generates two ★-commuting subgroups. 

Algorithm 1.3. (TTP algorithm) 

(1) Choose two secret subsets BL ~ {bi^ , . . . , 6;^ }, BR = {6,.^ , . . . , 5,-^ } of the set of generators of Bn, 
where \li — rj \ > 2 for all 1 < i < ^q. and 1 < j < rp. 

(2) Choose a secret element z E Bn- 
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(3) Choose words {wi, . . . ,Wj} of bounded length over the generators BL. 

(4) Choose words {vi, . . . , w^} of bounded length over the generators BR. 

(5) For each i = 1, . . . , 7: 

(a) calculate the left normal form of zWiZ~-^ and reduce the result modulo A^; 

(b) put w[ to be a braid word corresponding to the element calculated in (a); 

(c) calculate the left normal form of zviZ~^ and reduce the result modulo A^; 

(d) put vl to be a braid word corresponding to the element calculated in (c). 

(6) Publish the sets {v[, . . . ,v'^} and {w[, . . . jw'^}. 

We want to point out that TTP algorithm produces generators of two commuting subgroups in i?„ . Alice 
and Bob need to compute their images in GL{n,¥p{t)) to obtain ★-commuting subgroups. 

1.5. Security assumptions. It was noticed in [2] that if the conjugator z generated randomly by TTP 
algorithm is known then there exists an efficient linear attack on the scheme which is able to recover the 
shared key of the parties. The problem of recovering the exact z seems like a very difficult mathematical 
problem because it reduces to solving the system of equations 

w[ = A'^P^zwiz-'^ 

I w'^ = A'^P-'zw^z'^ 
^' ] v[= A'^'-^zviz-^ 

v'^ — A^^'' zv^z~^ 

which has too many unknowns, only left hand sides (i.e., elements w'l, . . . , w'^, v[, . . . , v'^) are known. Hence, 
it might be difficult to find the original z. 

Now observe that the AAGL key exchange protocol uses only the output of TTP algorithm, namely the 
tuples {v'l, . . . ,v'^} and {w'l, . . . ,w'^} since all internal values in TTP algorithm are not available to the 
parties. In other words it is irrelevant for the protocol how two particular commuting generating sets were 
constructed. This observation leads us to the following problem 

For tuples {v[, . . . ,v'^} and {w'l, . . . ,w'^} find any z' and any numbers pi, . . . ,p^, ri, . . . , € 
Z such that the words {A'^p^ z'-h>[z' , A^p-^ z'-'^v'^z'} and {A'^''^ z'-'^w[z' , A^''-' z'-^w'^z'} 
can be expressed as words over two disjoint commuting subsets of generators of i?„. 
This is a new problem for computational group theory. Let us refer to it as simultaneous conjugacy separation 
search problem (abbreviated SCSSP). We want to emphasize that SCSSP has little in common with the 
simultaneous conjugacy search problem often referenced in the papers on the braid group cryptanalysis. The 
main difference is that in the conjugacy search problem both conjugate elements are available and the goal 
is to recover the secret conjugator. And in case of SCSSP only the left side of the equation is known. It is 
not clear if one of the problems can be reduced to the other. 

It follows from the observation above that any solution z' to a problem stated above plays a role of a 
conjugator z and can be used in a linear attack outlined in [2] . The main goal of this paper is to present 
an algorithm which for proposed parameter values solves SCSSP. Experimental results convince us that our 
attack is a serious threat for AAGL as the success rate is 100%. Furthermore, a slight modification of the 
algorithm produces the exact z generated by TTP in 40% of randomly generated instances. 

1.6. Proposed parameter values. To provide 80 bits of security against the exhaustive search for z for 
the scheme the authors propose two slightly different sets of parameters: 

• Parameter set # 1. 

— Let n = 14, p = 13, and r = 3. 

— Choose the conjugator z randomly of length 17. 

^ Choose the words Wi and Vj randomly of length approximately 10. 

— The number 7 of the words Wi and Vj is 27. 

• Pairameter set # 2. 
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— Let n = 12, p = 13, and r — 3. 

— Choose the conjugator z randomly of length 18. 

^ Choose the words Wi and Vj randomly of length approximately 10. 

— The number 7 of the words Wi and Vj is 27. 

2. TTP ATTACK 

In this section we describe a heuristic attack which finds a solution to a given instance of SCSSP. The 
main ingredient in our attack is a length function on the group i?„. As it is explained in [5] there are no 
known efficiently computable and "sharp" length functions for braid groups. Therefore, for our attack we 
adopt the method of approximation of the geodesic length function originally proposed in [5]. In all our 
algorithms by | • | we denote approximation of the geodesic length function. 

We present results of experiments which show that a fast heuristic procedure based on the length-based 
reduction is extremely successful for the suggested parameters. In fact, every instance of TTP algorithm 
generated in our experiments has been broken. 

2.1. Generation. The original paper [5] lacks any details on how to randomly generate the secret element 
z and the words {wi, . . . , w^}, {vi, . . . , v^} in TTP algorithm. Hence, in all our experiments: 

• The word z is taken uniformly randomly as a word of a particular length from the ambient free group 
F{ai, . . . , o-„-i). 

• The words wi, . . . .w-y and vi, . . . ,Vj are taken uniformly randomly as words of particular lengths 
from the ambient free groups F{BL) and F{BR). 

Also, the authors suggest to take the sets BL and BR randomly on step (1) of TTP algorithm. Observe 
that in general this might result in a choice of BL such that for some l<i<j</s<n — 1 

(Ti,(Tk £ BL, but CTj e BR. 

We think that this situation is not desirable as it excludes the use of at least two braid generators in the 
words Wi and vj. We think that the choice of the following sets 

BL = {cti, . . . , CT;} and BR = {ct;+2, • • ■ , 

(where n is an even number and I = [n — 2)/2) is optimal as it excludes only cr(+i which maximizes the size 
of a space for the words wi, . . . and wi, . . . , w^. 

2.2. Recovering A-powers. The first stage in our attack is recovering A powers in the system ([1]), i.e., 
computing numbers pi, . . . and ri, . . . ,r-y. The main tool in our computations below is the triangular 
inequality for the Cayley graph of the braid group i?„. Observe that the following inequalities hold. 

(Parameter set #1) For each i = 1, . . . , 7 

\z^^Uiz\ <2\z\ + \ui\ = AA and \z~^Wjz\ <2\z\ + \wj\ = AA 

and 

|A2P| ^pn{n- 1) = 182p. 
Hence, z-^u^z\,\/S?P z-^Wjz\ G [182p - 44, 182p + 44] and 

lA^fz-^t.zl - |A2(p-i)z-^u,z| > 182 - 2 • 44 = 94 

lA^Pz-^Wjzl - |A2(p-i)z-1u;jz| > 182 - 2 • 44 = 94. 
(Parameter set #2) For each i = 1, . . . , 7 

|z~^Uj;z| < 2|z| + \ui\ = 46 and < 2|z| + \wj\ = 46 

and 

|A2P| =pn{n-l) = 132p. 
Hence IA^Pz-Iu^z], IA^Pz-Iw^z] G [132p - 46, 132p + 46] and 

lA^Pz-^u^zl - |A2(p-i)z-1u,z| > 132 - 2 • 46 = 40 
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Z WjZ\ 



|A2(p- 



> 132 - 2 • 46 = 40. 

This observation implies that for both parameter sets the sequences {\A'^p z^^u.iz\}^Q and {\A'^Pz~^'Wjz\}^^ 
are strictly increasing. Thus, to recover the original power of A one can repeatedly multiply (and Wj) on 
the left by until the length cannot be reduced anymore (see Algorithm [2TT]). Moreover, since the difference 
between two elements differing by A^ is at least 40 even crude approximations of the length function must 
work. 

Algorithm 2.1 (A-power recovery). 
Input: An element w € Bn- 

Output: An element u minimal in the left coset (A~2)iy. 
Computations: 
A. Set u 



w. 



B. 
C. 
D. 



If |u| > |A"2u| then set u 
If |u| > lA^ul then set u = 
Otherwise output u. 



= A and goto B. 
A^ii and goto B. 



Clearly Algorithm l2 . II always terminates. The time complexity of the algorithm depends on the complexity 
of the procedure which approximates the geodesic length. The procedure is heuristic and its worst case 
complexity is not known. Experimental results in [5] suggest that the length approximation can be efficiently 
computed for most braid words and we estimate the expected complexity of the procedure as 0{n). Under 
this assumption, it is easy to see that the power-recovery algorithm can be executed in at most ©((jwl + 
71^)1^1/71^) = 0(|iyp/7j2-|-|w|) steps as the algorithm performs up to |K;|/7i2 iterations and on each iteration 
for a word u of length up to jwl the length of a word A^u is estimated. 

2.3. Recovering conjugator. The second part of the attack computes a secret conjugator. At this point 
we assume that all A-powers from the system ([1} are successfully found and we have a system of equations 
of the form 



(2) 



ZWlZ 



= ZWjZ ^ 



ZVlZ 



or < 



zv^z 



W -: Z 



z ^w'J^z 
z~^v'-! z - 



Wl 



where only elements = A 



and 



~'^^'Wj are known. Let us call two sets of braids separated if 
they can be expressed as words over disjoint commuting sets of generators of i?„. As mentioned in Section 
11.51 to break the protocol it is sufficient to find any conjugator z' which conjugates two tuples of elements 
{u'(, . . . , u") and (w", ...,?/;") into two separated tuples of elements {ui, . . . ,u-y) and {wi, . . . ,w^). This is 



the main goal of our attack. 

Let li = (ui, . . . , Um) be a tuple of elements in B„ and x is an element of Bn. 
length of elements in u, i.e., put 



Denote by \u\ the total 



i=l 

Denote by a tuple obtained from u by conjugation of each its element by x. It is intuitively clear that 
conjugation of a tuple of braids by a random element x almost always increases the length of the tuple. In 
other words, for a random clement x the inequality 

(3) \u^\ > \u\ 

is almost always true. We do not have a proof of this fact, but numerous experiments convince us that it is 
true. Moreover, conjugation by longer elements almost always results in longer tuples. 

The idea that conjugation consequently increases the length of tuples is not new. It was used in papers 
[4], [3] for different length functions with different success. But the most successful is a recent attack [6] 
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which uses approximation of the geodesic length. In this paper wc use the idea of separating two tuples of 
braids. To find z' we repeatedly conjugate the tuple (m", . . . , u", w", . . . , w") by generators of i?„ and their 
inverses and if for some generator cr^^ the decrease of the total length of the tuple is observed then it is 
reasonable to guess that is involved in z' . 

Algorithm 2.2 (Recovering conjugator - I). 
Input: Tuples a = {oi, . . . , a^} and 6 = {61, ... , &^}. 
Output: An element z' separating tuples a and h. 
Initialization: Set z' ~\. 
Computations: 

A. For each i = 1, . . . , 71 — 1 and e = ±1 conjugate tuples a and 6 by a generator erf and compute 

4e-|S--| + r-V(|a| + |6|). 

B. If for some erf the sets oF^ and 6'^? are separated then output z' = afz'. 

C. Otherwise, if all Si^e are positive (i.e., conjugation by erf cannot further decrease the total length) 
then output FAILURE. 

D. Otherwise choose i and e for which 6i^^ is minimal. Set z' = erf z', a = af^i , and h = b'^i . Goto step 
A. 

The described attack is similar to the one described in [6]. Recall that the main problem in [6] was the 
existence of so-called peaks (see [SI Definition 2.5]). This phenomenon is a consequence of difficult structure 
of finitely generated subgroups of braid groups. In this paper, we do not have this problem as z is chosen in 
the whole group 

Note that Algorithm [511] is a greedy descend procedure. It may fail due to the fact that there exists a small 
fraction of words for which the inequality ([3|) does not hold. It is also prone to the length approximation 
errors. One can significantly reduce the failure rate of a descent procedure by introducing a backtracking 
algorithm which allows exploration of more than one search paths. Algorithm 12.31 gives an implementation 
of the attack with backtracking. 

Algorithm 2.3 (Recovering conjugator with Backtracking). 
Input: Tuples a = {oi, . . . , a^} and b = {61, . . . , h^}. 
Output: An element z' separating tuples a and h. 
Initialization: Set S" = {(a, 6, 1)}. 
Computations: 

A. If S" = then output FAILURE. 

B. Choose {x,y,c) G S such that |a;| + \y\ is the minimal. 

C. For each i ~ 1, . . . , n — 1 and e = ±1 conjugate tuples x and y by a generator erf and compute 

<5.,, = |x<| + r-V(|s| + |y|)- 

D. If for some af the sets x'^^ and y'^? are separated then output z' = afc. 

E. Otherwise, for each i = 1, . . . , n — 1 and e = ±1 add the tuple {x'^' , x'^^ , erf c) to the set S. Goto step 
A. 

We must mention here that, although there is a possibility that Algorithm 12.31 outputs FAILURE or does 
not terminate on some inputs, this situation has never occurred in our experiments. 
Finally, we present another modification of Algorithm 12.21 

Algorithm 2.4 (Recovering conjugator - II). 
Input: Tuples d = {ai, . . . , a-y} and b = {61, ... , b^}. 
Output: An element z' separating tuples d and b. 
Initialization: Set z' = I. 
Computations: 
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A. For each i = 1, . . . , n — 1 and e = ±1 conjugate tuples a and 6 by a generator erf and compute 

4e = i«^-i + r-V(i«i + H)- 

B. If all 5i^^ are positive (i.e., conjugation by af cannot further decrease the total length) and the sets 
a and b are separated then output z' . 

C. If all are positive (i.e., conjugation by erf cannot further decrease the total length), but the sets 
a and b are not separated then output FAILURE. 

D. Otherwise choose i and e for which (5^ ^ is minimal. Set z' = erf z', a = of' , and h — b"^ . Goto step 
A. 

Algorithms 12.21 and 12.41 are almost the same except that they have different termination conditions. 
Algorithm 12.21 stops as soon as the tuples are separated, while Algorithm 12.41 tries to minimize the total 
length of the tuple and when the minimal value is reached it checks if the current tuples are separated. 

The complexity of step A in Algorithms 1 2 . 21 and 1 2 . 41 is 0{'^n{\ai\-\- \bi\)). The maximal number of iterations 
can be bounded by the total length of the input |ai| + A very crude upper boimd on the complexity of 
the two algorithms is 0{'^n{\ai\ + |6i|)^). 

The complexity of Algorithm 12.31 is harder to estimate. Potentially, the backtracking mechanism may 
cause the algorithm to explore exponentially many potential solutions. However, our experiments show that 
a very few backtracking steps are required to find a solution. 

2.4. Results of experiments. The attack was tested on different sets of instances of the protocol. In 
particular we generated the sets BL and BR randomly and used fixed sets BL = {ci, . . . , cr/} and BR = 
{cr/+2, . . . ,cr„_i}. We used the proposed values of the parameters (see Section [L^ . In addition the attack 
was tested on instances generated with the increased length of the secret conjugator z. 

In all the experiments Algorithm 12.31 had 100% success of producing a separating conjugator z' . The 
average time of a run of the algorithm was 4.5 seconds when executed on a Dual Core Opteron 2.2 GHz 
machine with 4GB of ram. The algorithm without backtracking had slightly smaller but still respectable 
success rate of 90%. It is very interesting to notice that Algorithm [23] actually recovered the original secret 
conjugator z in about 40% of the cases. That is the reason we mention this algorithm in the paper. 

Experiments with instances of TTP protocol generated using \z\ = 50 (which is almost three times greater 
than the suggested value) again showed 100% success rate. However, we need to point out that the attack 
may fail when the length of z is large relative to the length of . For instance when in the second parameter 
set the length of z is increased to 100, the algorithm recovering A-powers sometimes output wrong values. 
Nevertheless, the success rate of Algorithm 12.31 is still about 90% in this case. We think it is possible to 
modify our algorithms to work with increased parameter values. But the biggest concern here is that the 
protocol with increased parameter values might be not suitable for purposes of lightweight cryptography. 
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